sysstat is vulnerable to remote code execution. The vulnerability exists in allocate_structures
function of sa_common.c
due to insufficiently checks bounds before arithmetic multiplication which allows an attacker to inject and execute malicious query parameters.
git://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2022-39377
github.com/sysstat/sysstat/blob/v12.6.0/sa_common.c#L456-L469
github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540
github.com/sysstat/sysstat/releases/tag/v12.7.1
github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
lists.debian.org/debian-lts-announce/2022/11/msg00014.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6F26ALXWYHT4LN2AHPZM34OQEXTJE3JZ/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7X6WKTODOUDV6M3HZMASYNZP6EM4N7W4/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHUVUDIVDJZ7AVXD3XX3NBXXXKPOKN3N/
lists.fedoraproject.org/archives/list/[email protected]/message/6F26ALXWYHT4LN2AHPZM34OQEXTJE3JZ/
lists.fedoraproject.org/archives/list/[email protected]/message/7X6WKTODOUDV6M3HZMASYNZP6EM4N7W4/
lists.fedoraproject.org/archives/list/[email protected]/message/PHUVUDIVDJZ7AVXD3XX3NBXXXKPOKN3N/
security.gentoo.org/glsa/202211-07